lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <49411252.9080508@dd-wrt.com>
Date: Thu, 11 Dec 2008 14:14:58 +0100
From: "Sebastian Gottschall (DD-WRT) " <s.gottschall@...wrt.com>
To: pUm <hijacka@...glemail.com>
Cc: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)

all fixed images (for all platforms) are now provided here in our test 
folder

http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Fothers%2Feko%2FBrainSlayer-V24-preSP2%2F111208/


consider, before you advise to "not use" dd-wrt.

all other major firmware distributions are affected by the same issue. 
this includes openwrt too

Sebastian


pUm schrieb:
> this is no security flaw since you must be already logged in within
> the webinterface of dd-wrt. otherwise this here will not work. we
> already fixed this issue in our sourcetree
>
> as additional information. this is no dd-wrt specific issue. all other
> firmware like openwrt etc. would suffer from it too.
>
> in fact. just a plain POST to a authenticated dd-wrt session. without
> beeing logged in locally it would not have any effect
> -----------------------------------
>
> oh god - you dd-wrt people sucks so much. its unbelievable in which
> way you are handling security advisories. if you would be able to make
> a post without authentication it would be much worst. I would
> recommend to read www.owasp.org
>
> another example for the bad security work of the dd-wrt guys are one
> this forum post:
> http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783&postdays=0&postorder=asc&start=0
>
> bitmage discovered that in every fresh release and every custom
> firewall two other rules are added in front of all.
> the rules will allow every service on the dd-wrt router from the ip
> 194.231.229.20 and from the ip 212.65.2.116
>
> some workarounds exist, I didnt test any of them, because dd-wrt isnt
> trustworth anymore for me. I can confirm this flaw in the latest
> stable vpn release.
>
> please note the workarounds from the main developer from dd-wrt:
> "even i see no reason for this. these ip addresses arent valid
> anymore. it seems that chris implemented this for a customer. i
> removed it now" (they are still in the default install image)
> "nvram unset ral
> nvram commit "
> "there is no security hole. both ip's are not active anymore and
> obsolete since a long time. "
> "i will lock this thread now. a new release is scheduled soon (within
> this or next week), but you cannot force me to release buggy code
> based on the current internal tree.thats my last statement on this
> topic" (Posted: Tue Aug 19, 2008 10:57 pm)
>
> I recommend everyone to not use dd-wrt anymore, at least as long as
> they didnt change their politics and stops talking bullshit "there is
> no security hole"
>
> cheers
>
>   


-- 
Mit freundlichen Grüssen / Regards

Sebastian Gottschall / CTO 

NewMedia-NET GmbH - DD-WRT 
Firmensitz:  Wormser Straße 5 - 7, 64625 Bensheim
Registergericht: Amtsgericht Darmstadt, HRB 25473
Geschäftsführer: Peter Steinhäuser, Christian Scheele
http://www.dd-wrt.com
email: s.gottschall@...wrt.com
Tel.: +496251-582650 / Fax: +496251-5826565 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ